Messages

Edit: Post completely modified.

At first I focused only on the default route, which is changed by default gateway.

I still hope that someone can help me to set this up correctly, as I'm not convinced it's right this way (in the old setup the WAN_IPTV gateway was not disabled).

EDIT: It turned out that the IPTV receiver will not boot again after 2 days working fine. So the setup still needs adjusting.

Thanks!


Kind regards,
Raymond

Hi,

I've tried upgrading before from 19.1 series on my A10 appliance, but it always failed because internet was no longer working from the LAN.

I first noticed (on 20.1) that the default route was pointing to my WAN_IPTV interface which of course will not work.

Then I started plaing around with the gateway settings.

I have attached my old and new gateway settings.

In 20.1 I have disabled my WAN_IPTV gateway, making the default route 'normal' and internet working.

Despite disabling the WAN_IPTV gateway, the IPTV appears to be working fine. EDIT: After 2 days the IPTV receiver will not start anymore, so it's not fine after all.

I just can't help wondering that this setup is not the setup it should be. What do you think the correct settings would be?

My setup: Xs4all fiber connection with internet on VLAN6 (PPPoE) and IPTV on VLAN4.

In gateway, logs, I find lots of the following errors:
dpinger: WAN_INTERNET_DHCP6 fe80::xxxxxx%pppoe1: sendto error: 65

IPv4 + IPV6 internet are working normal.

Hi all,

Appliance: A10
Xs4all config:
Internet on VLAN6, IPTV on VLAN4.

I've used OPNsense until about July last year (I'll explain later why). Now, I did restore the configuration of last July on a fresh (serial) install on my A10.

If I do this, I don't have internet on the LAN interface, however, I can ping, from the A10, on the WAN interface to the internet.

If I disable the WAN_IPTV (Vlan 4) interface, internet starts working again, also from the LAN interface. Of course, I loose the IPTV. When I re-enable the WAN_IPTV interface, it breaks the internet on the LAN interface again.

Outbound NAT is set to automatic.

I have no manual routes configured.

Does anyone have an idea why the same configuration would cause no internet connection on LAN on 20.1?

If anyone has a suggestion, I'm going to try that. However, I must first do a serial install of 20.1, and restore the config to test. If it's not working, I have to serial install 19.1 again.

Also (but not important), an upgrade from 19.1 to 10.7 causes a bootloop in the A10 device.

Finally If anyone is interested. Last July I did get problems with internet disconnecting from time to time. I started using the Xs4all (Fritsbox) router to solve it. It turned out that a cable under the floor had a bad connection, so it was never a problem of OPNsense.

That's all for now.

I really hope someone can help.

Thanks,
Raymond

I did, thanks again!

You're a genius!

When I applied these settings, I did get an iIPv6 address immediately, no reboot needed.

Thanks for your help.

Ray

In System, logfiles, general I only see this:
opnsense: /services_dhcp.php: Warning! services_radvd_configure(auto) found no suitable IPv6 address on igb0

Did a search for dhcp6c and found nothing.

Hi,

On my Xs4all fiber account I now have a working setup with Internet and (routed) IPTV, so that's good.

However, I can't get IPv6 working.

I have setup on my WAN interface:
IPv6 Configuration Type: DHCPv6
Configuration mode: Basic
Request only a IPv6 prefix: checked
Prefix delegation size: 48
Use IPv4 connectivity: checked
Rest: unchecked.

LAN interface:
IPv6 Configuration Type: Track interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0.

If I try the same settings on my old pfSense setup, I get a IPv6 address.

It might be unrelated, really not sure, but on the Dashboard page, it shows DHCPv6 service as stopped, and it's not able to start.

Does anyone have an idea?

Firewall: A10, firmware 19.1.6.



Kind regards,
Ray

@jmirakul

This was checked by Ad.

When using Internet Explorer (which I did), the certificate field is shown and the certificate data is in the config xml file.

When another browser is used (I've tried FireFox), the certificate fields are not even in the GUI, and xml file is correct then.

Kind regards,
Ray

Hi Franco,

Did not know this, I'll create an issue there.

Thanks,
Ray

Hi,

Thanks for you reply!

You are totally right! Thank you very much!

After removing the cert from the config, tunnel did come up right away!

It would be better if the cert was removable from the gui of course. Maybe a dev can pick this up?

I think it's definately the certificate which is presented to the SonicWALL. In the SonicWALL log I see the following error:

IKEv2 initiator: Proposed IKE ID mismatch. In the data it shows the data of the certificate, which I don't want to use...

So, is it possible to configure OPNsense to NOT use a certificate for IPSEC?

Hi,

These are the screenshots of the SonicWALL. I left out the network tab. It only shows names of the local and remote networks, but they are the full /24 local and remote network.

Ray

Hi,

I attached the OPNsense screenshots.

Kind regards,
Ray

I've been playing around with this.

Is it possible that a certificate is in the way? It asks for a certificate in the IPSEC config, which I can't deselect. The tunnel does not use a certificate at all.

Logfile:
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 10:07:18 charon: 15[CFG] <41> no matching peer config found
Nov 5 10:07:18 charon: 15[CFG] <41> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 10:07:18 charon: 15[IKE] <41> sending cert request for "CN=internal-opnsense-ca"
Nov 5 10:07:18 charon: 15[IKE] <41> b.b.b.b is initiating an IKE_SA
Nov 5 10:07:18 charon: 15[ENC] <41> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 09:46:09 charon: 15[CFG] <40> no matching peer config found
Nov 5 09:46:09 charon: 15[CFG] <40> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 09:46:09 charon: 15[IKE] <40> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:46:09 charon: 15[IKE] <40> b.b.b.b is initiating an IKE_SA
Nov 5 09:46:09 charon: 15[ENC] <40> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:41:45 charon: 15[IKE] <con3|39> received INVALID_SYNTAX notify error
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (80 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (496 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> establishing CHILD_SA con3{3}
Nov 5 09:41:45 charon: 15[IKE] <con3|39> authentication of (certificate id) (myself) with pre-shared key
Nov 5 09:41:45 charon: 15[IKE] <con3|39> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:41:45 charon: 15[ENC] <con3|39> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (449 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (464 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> initiating IKE_SA con3[39] to b.b.b.b
Nov 5 09:41:45 charon: 15[CFG] received stroke: initiate 'con3'
Nov 5 09:41:45 charon: 14[CFG] added configuration 'con3'
Nov 5 09:41:45 charon: 14[CFG] id 'a.a.a.a' not confirmed by certificate, defaulting to 'certificate id'
Nov 5 09:41:45 charon: 14[CFG] loaded certificate "certificate id" from '/usr/local/etc/ipsec.d/certs/cert-3.crt'
Nov 5 09:41:45 charon: 14[CFG] received stroke: add connection 'con3'
Nov 5 09:41:45 charon: 15[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Nov 5 09:41:45 charon: 15[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 5 09:41:45 charon: 15[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 5 09:41:45 charon: 15[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 5 09:41:45 charon: 15[CFG] loaded ca certificate "CN=internal-opnsense-ca" from '/usr/local/etc/ipsec.d/cacerts/63707b99.0.crt'

I only had it on this setting.